Lapsus$ ransomware gang hits SIC, Portugal's largest TV channel

The Lapsus$ ransomware gang has hacked and is currently extorting Impresa, the largest media conglomerate in Portugal and the owner of SIC and Expresso, the country's largest TV channel and weekly newspaper, respectively.

The attack has taken place over the New Year holiday and has hit the company's online IT server infrastructure. Websites for the Impressa group, Expresso, and all the SIC TV channels are currently offline.

National airwave and cable TV broadcasts are operating normally, but the attack has taken down SIC's internet streaming capabilities.

The Lapsus$ group took credit for the attack by defacing all of Impressa's sites with a ransom note (pictured at the top of this article). Besides a ransom request, the message claims that the group has gained access to Impresa's Amazon Web Services account.

Impresa staff appeared to have regained control over this account earlier today when all the sites were put into maintenance mode, but the attackers immediately tweeted from Expresso's verified Twitter account to show that they still had access to company resources.


The Impresa attack is one of the largest cybersecurity incidents in Portugal's history. Impresa is, by far, the country's largest media conglomerate.

According to September 2021 TV ratings, SIC and all its secondary channels dominate the TV market, while Expresso has the largest circulation numbers for weekly periodicals. Nonetheless, Impressa also owns many other media companies and magazines, all of which are currently most likely impacted by the attack as well.


Prior to the Impressa attack, the Lapsus$ group has also hacked and ransomed Brazil's Ministry of Health, and Claro and Embratel, two South American telecommunication providers.

Members of the Lapsus$ group have not returned a request for comment sent via email. An Impresa spokesperson refused to comment on the attack.

This is the second ransom attack over the winter holiday that has hit a media conglomerate after the Ryuk gang hit Tribune Publishing, owner of the LA Times, in December 2018.

Despite warnings from US and German authorities, cyberattacks did not make too many waves during the recently passed winter holidays.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Catalin Cimpanu

Catalin Cimpanu

is a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.